Jump to content
Welcome to our new Citrix community!

Responder Policy not working with content switch using Proxy Protocol


David Boxall

Recommended Posts

I am having issues getting a reponder policy to work when asigned to my content switch vServer ( Its acting as a proxy so using the proxy protocol type ).  I am trying to deny certain traffic using a reponder policy to drop the request.

 

HTTP.REQ.URL.PATH_AND_QUERY.STARTSWITH("/example")

 

I am getting zero hits on the policy where am i going wrong ? it seems like the Content Switch ( Proxy ) is ignoring the policy. 

 

Cheers

Dave

 

Link to comment
Share on other sites

First off are user requests actually going to http://demo.domain.com/example<stuff> or /Example

As the startswith operator as listed above is case-sensitive unless you change the expression to http.req.url.path_and_query.set_text_mode(ignorecase).starts...

 

Is the responder feature enabled. 

 

But the real issue may be in fact because you are using the PROXY protocol vserver type, the ADC may be unable to parse the HTTP request as it is treating it as L4 TCP traffic.

As a test, I would see if you kept the policy as is but bound it to an HTTP or SSL vserver and it works but does nothing on the PROXY vserver, then the problem is the lack of visibility into the HTTP elements and you would need to break it down from a TCP standpoint instead.

 

Then, look to see if you are getting UNDEF result hits on the responder policy; you may need to set a custom action to see this as the default is NOOP which means don't do responder.

 

Here's some info on proxy:  https://support.citrix.com/article/CTX224265

 

Link to comment
Share on other sites

Going back to basics: does the OP's vserver actually NEED to be of type proxy? A veserver of type proxy is used for very specific purposes. If it's really just an HTTP vserver (and yes, the way Netscaler / Citrix ADC works, the vserver always acts as a proxy), then HTTP would work just fine.... and that would allow the rewrite to work ok.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...